[
https://issues.apache.org/jira/browse/MODPYTHON-108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Graham Dumpleton closed MODPYTHON-108.
--------------------------------------
> Let Cookie support new HttpOnly property to prevent cross-site cookie stealing
> ------------------------------------------------------------------------------
>
> Key: MODPYTHON-108
> URL: https://issues.apache.org/jira/browse/MODPYTHON-108
> Project: mod_python
> Issue Type: Improvement
> Components: core
> Affects Versions: 3.1.4, 3.3, 3.2.7
> Reporter: Deron Meranda
> Assigned To: Graham Dumpleton
> Priority: Minor
> Fix For: 3.3
>
> Attachments: MP108_20060427_grahamd_1.diff
>
>
> The Cookie.Cookie class does not allow the new "httponly" cookie property to
> be set. It needs to be added to the valid slots on the cookie metaclass.
> Also note that like the "secure" cookie attribute, it is simple a boolean
> flag without any value.
> The HttpOnly flag was invented by Microsoft but seeing widespread support as
> a way to prevent cross-site scripting from stealing cookies using client-side
> Javascript. This is especially important for security-sensitive cookies,
> such as session keys.
> The mod_python session object should also explicitly set the HttpOnly
> property on the cookies it creates.
> See also these related references:
> 1. http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
> 2.
> http://search.cpan.org/~mschout/Apache-AuthCookie-3.08/lib/Apache2/AuthCookie.pm
> 3. https://bugzilla.mozilla.org/show_bug.cgi?id=178993
> 4.
> http://www.linux.com/howtos/Secure-Programs-HOWTO/cross-site-malicious-content.shtml
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
